|    |    |    | Today: 27-May-2020 |

The Schmooze Strikes Back

March 22, 2011 | Posted in News

Social-Engineer.Org’s mission has been to raise awareness for social engineering and the role it plays in targeted attacks against companies today.

As security technology advances attackers are increasingly leveraging social engineering techniques in order to gain unauthorized access to global organizations and fortune 500 companies.

In our continued efforts to raise awareness – Social-Engineer.org is proud to announce the Defcon 19 Social Engineering Capture the Flag (SECTF) 2: “The Schmooze Strikes Back”. Using the lessons we learned from Defcon 18, we expect to once again set new standards for raising awareness of social engineering issues.

Last year, our first SECTF we demonstrated the ease in which non-experienced social engineers can extract out potentially sensitive information from Fortune 500 corporations in America. The CTF clearly demonstrated how easy it was for social engineers to extract information from targets on the phone. Our final report was downloaded over 300,000 times and helped organizations make dramatic improvements of their security programs.

This year we are refreshing the format of the SECTF. Changes have been put in place to improve the quality of the contest and better demonstrate the threat of malicious social engineering.

• PREMIER TARGETS. A small selection of companies have agreed to work with Social-Engineer.Org and allow us to use their organizations as full on social engineering targets. These companies have aggressive security awareness programs and have agreed to put these programs to the test, publicly.

• Contestant research and reporting will be improved. A sample report will be provided to all contestants demonstrating what is expected in terms of content, structure, and composition in this report. A professionally done audit report will be required of each contestant.

• A new “target ranking system” will be introduced. While we will not list what data was extracted from the targeted companies for privacy reasons, we will be listing the companies we target and how they fared in the contest. We will rank targeted companies in comparison against other companies called in the same industry, and in total against all companies called. The intent of this is to not only point out companies that have improvements to make, but also to give credit to companies that have effective and strong information security programs.

Just like last year, we will not target any directly sensitive information such as passwords, IP addresses, social security numbers, credit card numbers, and so on. There are entire industries we will not target without the company being a premier target, such as government, health care, financial and education. Like last year, great care will be taken to protect the privacy of targeted companies and keep contest morally clean and legal.

We expect this years SECTF to be even more exciting especially due to our highlight event during the contest, which for now will remain undisclosed….

If you think “the Schmooze” is strong with you and want to show case your social engineering skills then….

This Event is Being Sponsored by:

offsec 300x113 Social Engineering CTF   How Strong Is Your SchmoozeCore Company Logo Aug 2010 Word 300x46 Social Engineering CTF   How Strong Is Your Schmooze

eff sponsor Social Engineering CTF   How Strong Is Your Schmooze

The CTF Rules

  • Each Social Engineer is sent via email a dossier with the name and URL of their target company chosen from the pool of submitted names.

  • Pre-Defcon the contestants are allowed to gather any type of information you can glean from their websites, Google searches and by using other passive information gathering techniques. Contestants are prohibited from calling, emailing or contacting the company in any way before the Defcon event. We will be monitoring this and points will be deducted for “cheating”.

  • The goal is to gather points for the information obtained and plan a realistic and appropriate attack vector. A list of flags will be provided, and points will be awarded for discovered items. All information should be stored in a professional looking report – Contestants will be sent a sample report that they MUST follow as a guideline. A large portion of the score will be determined by the quality of the content of the report. Just “dumping” dozens of pages of information into a word document is not an acceptable report. Discovered items must be clearly communicated. Information gathered in this phase of the content will both set the stage for your success in the later calls as well as establishing the baseline for your initial score. These reports are for the purposes of scoring only and Social-Engineer.org will not be making them public.

  • Contestants will submit their dossiers for review to the judging panel on or before June 1st. Late hand in can disqualify a contestant from the contest.

  • Contestants will be sent their time slot (day/time) to perform their attack vector at Defcon after the reports are reviewed, at least 1 week prior to Defcon.

  • Contestants are then given 20-25 minutes to perform their attack vector and points are awarded for information gathered as well as goals successfully accomplished during the process. (More time may be allotted based on the number of contestants, however all contestants will be allowed the same amount of time).

  • A scoreboard will be kept and at the end some excellent prizes will be awarded.

1st Place – A 16GB iPad 2 or maybe a Xoom preloaded with BT5, Winners Plaque and a spot on the Social-Engineer.org Podcast

2nd Place – An 8gb iPod and 2nd Place Winners Plaque


The underlying idea of this contest is: No one gets victimized in the duration of this contest. Social Engineering skills can be demonstrated without engaging in unethical activities. The contest focuses on the skills of the contestant, not who does the most damage. Our goal is to raise awareness to the threat that social engineering poses to corporations today.

Items that are not allowed to be targeted at any point of the contest:

  • 1) No going after very confidential data. (i.e. SS#, Credit Card Numbers, etc). No Illegal/Sensitive Data

  • 2) Nothing that can get Social-Engineer.org, Defcon, or the participants in the contest sued

  • 3) No pornography – it cannot be used during the CTF in any form

  • 4) At no point are any techniques allowed to be used that would make a target feel as if they are “at risk” in any manner. (ie. “We have reason to believe that your account has been compromised.”)

  • 5) No targeting information such as passwords.

  • 6) No pretexts that would appear to be any manner of government agency, law enforcement, or legally liable entity.

  • 7) The social engineer must only call the target company, not relatives or family of any employee

  • icon cool Social Engineering CTF   How Strong Is Your Schmooze Use common sense, if something seems unethical – don’t do it. If you have questions, ask a judge

If at any point in the contest it appears that contestants are targeting anything on the “No” list, they will receive one warning. After the one warning they are disqualified from the contest.

Submitting Target Companies

  • Submit the urls of two Fortune 500, USA Based companies you feel would make a good target

  • Please avoid government agencies and defense contractors

  • It is NOT a given that you will receive one of the companies you suggest as your target, so recommend wisely

  • Companies must have a telephone number available in the USA for the attack to be launched at Defcon

Taged in: Schmooze, Strikes